Dependency-Based Anomaly Detection: Framework, Methods and Benchmark

Total Page:16

File Type:pdf, Size:1020Kb

Dependency-Based Anomaly Detection: Framework, Methods and Benchmark Dependency-based Anomaly Detection: Framework, Methods and Benchmark Sha Lu : [email protected] Lin Liu : [email protected] Jiuyong Li : [email protected] Thuc Duy Le : [email protected] Jixue Liu : [email protected] University of South Australia , Adelaide, SA 5095, Australia Editor: TBD Abstract Anomaly detection is an important research problem because anomalies often contain criti- cal insights for understanding the unusual behavior in data. One type of anomaly detection approach is dependency-based, which identifies anomalies by examining the violations of the normal dependency among variables. These methods can discover subtle and meaningful anomalies with better interpretation. Existing dependency-based methods adopt different implementations and show different strengths and weaknesses. However, the theoretical fundamentals and the general process behind them have not been well studied. This paper proposes a general framework, DepAD, to provide a unified process for dependency-based anomaly detection. DepAD decomposes unsupervised anomaly detection tasks into feature selection and prediction problems. Utilizing off-the-shelf techniques, the DepAD frame- work can have various instantiations to suit different application domains. Comprehensive experiments have been conducted over one hundred instantiated DepAD methods with 32 real-world datasets to evaluate the performance of representative techniques in DepAD. To show the effectiveness of DepAD, we compare two DepAD methods with nine state-of-the- art anomaly detection methods, and the results show that DepAD methods outperform comparison methods in most cases. Through the DepAD framework, this paper gives guidance and inspiration for future research of dependency-based anomaly detection and provides a benchmark for its evaluation. arXiv:2011.06716v1 [cs.LG] 13 Nov 2020 Keywords: Anomaly Detection, Dependency-based Anomaly Detection, Causal Feature Selection, Bayesian Networks, Markov Blanket 1. Introduction Anomalies are patterns in data that do not conform to a well-defined notion of normal behavior (Chandola et al., 2009). They often contain insights about the unusual behaviors or abnormal characteristics of the data generation process, which may imply flaws or misuse of a system. For example, an anomaly in network traffic data may suggest a threat of cyber security (Buczak and Guven, 2015), and an unusual pattern in credit card transaction data may imply fraud (Kou et al., 2004). Anomaly detection has been intensively researched 1 and widely applied to various domains, such as cyber-intrusion detection, fraud detection, medical diagnosis and law enforcement (Aggarwal, 2016; Chandola et al., 2009). The mainstream anomaly detection methods are based on proximity, including distance- based methods (Knorr and Ng, 1997, 1998; Ramaswamy et al., 2000; Angiulli and Pizzuti, 2005) and density-based methods (Breunig et al., 2000; Tang et al., 2002; Zhang et al., 2009; Kriegel et al., 2009a; Yan et al., 2017). Proximity-based methods work under the assumption that normal objects are in a dense neighborhood, while anomalies stay far away from other objects or in a sparse neighborhood (Aggarwal, 2016; Chandola et al., 2009). Another line of research in anomaly detection is to exploit the dependency among vari- ables, assuming normal objects follow the dependency while anomalies do not. Dependency- based methods (Lu et al., 2020; Paulheim and Meusel, 2015; Noto et al., 2012; Babbar and Chawla, 2012; Huang et al., 2003) first discover variable dependency possessed by the ma- jority of objects, then the anomalousness of objects is evaluated through how well they follow the dependency. The objects that significantly deviate from normal dependency are reported as anomalies. This paper focuses on dependency-based methods. Dependency-based approach is fundamentally different from proximity-based approach because it considers the relationship among variables, while proximity-based approach relies on the relationship among objects. Exploiting variable dependency for anomaly detection gives rise to a few advantages, as illustrated with the following examples. Example 1 (Better extrapolation capability.) Figure 1 shows a dataset of 453 objects, each with two variables, human's age and weight. It is adapted from a real-world dataset, Arrhythmia, in the UCI data repository (Dua and Graff, 2017), by taking only the age and weight attributes of the information of 452 people in the dataset (shown as black dots in Figure 1) and adding an unusual object o with age 100 and weight 65 kg (shown by the red triangle on the right). In the figure, the blue curve is the regression line showing the relationship between age and weight. The shade around the blue line represents the 95% confidence interval. When the two types of anomaly detection methods are applied to this dataset, a proximity- based method will report o as an anomaly because it stays far away from other objects. In contrast, o will not be reported by a dependency-based method because although o stays far away from other objects, it follows the dependency relationship between the two variables, i.e., the blue curve. Then, one must wonder, should we consider o to be an anomaly or not? A common way to answer this question is to check against the purpose of the analysis. If the detection is to identify people with obesity, then o is not a true anomaly. In this case, the correct conclusion can only be drawn through checking the dependency between the two variables, weight and age. Example 2 (Ability to find intrinsic patterns and better interpretability.) The dependency deviation identified by a dependency-based method can reveal some intrinsic patterns that cannot be found by proximity-based methods, and these patterns can provide meaningful interpretations of the detected anomalies. In this example, we use the Zoo dataset from the UCI machine learning repository (Dua and Graff, 2017), which contains information about 101 animals belonging to 7 classes. For each animal, 16 variables are used to describe its features, such as if it has hair and if it produces milk. It is noted that 2 Figure 1: An example showing the proximity-based and dependency-based anomaly meth- ods produce opposite detection results the class labels are only used to evaluate anomaly detection results. For visualization, we use T-distributed Stochastic Neighbor Embedding (t-SNE) (Maaten and Hinton, 2008) to map the dataset (without class labels) into two-dimensional space. As shown in Figure 2, different classes are marked with different letters in different colors. Three proximity-based methods, wkNN (Angiulli and Pizzuti, 2005), LOF (Breunig et al., 2000) and FastABOD (Kriegel et al., 2008), and a dependency-based method, LoPAD (Lu et al., 2020), are applied to the dataset. The top 10 anomalies detected by each method are shaded with gray circles, and the numbers attached to the circles are their ranks (the smaller the number, the higher the anomalousness). The names and ranks of the anomalous animals are shown in the grey box in each sub-figure. Overall, the four methods yield very different results. LOF mainly detects anomalies at the edge of the dense cluster, i.e., the mammal cluster. WkNN and FastABOD mostly identify anomalies in sparse areas, i.e., other clusters except for mammal. The anomalies detected by LoPAD are well-distributed in both dense and sparse areas. As to interpretability, LOF and wkNN only output anomaly scores with the detected anomalies, which does not help with explaining the reason for the detected anomalies. FastA- BOD and LoPAD provide additional explanations. FastABOD first exams the difference between a detected anomaly and its most similar object in the dataset, then reports top devi- ated variables and their deviations to explain the anomaly. An example given in the original paper of FastABOD explains a detected anomaly, scorpion, for which the most similar ani- mal of scorpion found by FastABOD is termite. Comparing scorpion to termite, FastABOD reports the reasons for scorpion being an anomaly as: 1) scorpion has eight instead of six legs; 2) it is venomous; 3) it has a tail. In contrast, the explanation by LoPAD is based on the deviation from normal depen- dency. Scorpion is reported as an anomaly by LoPAD because it significantly deviates from 3 (a) LOF (b) wkNN (c) FastABOD (d) LoPAD Figure 2: Top-10 anomalies detected by LOF, wkNN, FastABOD and LoPAD on the Zoo dataset the two dependencies: 1) if an animal has a tail, it is likely to have a backbone, while a scorpion has a tail but has no backbone. 2) if an animal does not produce milk, it likely lays eggs, but a scorpion neither produces milk nor lays eggs. Comparing the two explanations, one can see that LoPAD provides more reasonable and meaningful interpretations. The two examples have shown that dependency-based methods can detect meaning- ful anomalies that proximity-based methods fail to uncover with a better explanation for detected anomalies to help decision-making. However, dependency-based approach has not received enough attention in the anomaly detection community. Through literature review, we only find a very small number of methods that fully exploit dependency to detect anomalies (Lu et al., 2020; Paulheim and Meusel, 2015; Noto et al., 2012; Babbar and Chawla, 2012). Existing dependency-based methods adopt different implementations and show different strengths and weaknesses, but the fundamental ideas and the general process behind these methods have not been well studied. There is a need to explore further in this direction to take advantage of the possible dependency among variables for anomaly detection. In this paper, we propose a Dependency-based Anomaly Detection framework (DepAD) to provide a unified process of dependency-based anomaly detection. The goal of DepAD is twofold: 1) as a general framework, to guide the development and evaluation of new dependency-based methods; 2) as a reference model or abstraction of existing dependency- based methods, to help the understanding and communication about these methods.
Recommended publications
  • Outlier Detection in Graphs: a Study on the Impact of Multiple Graph Models
    Computer Science and Information Systems 16(2):565–595 https://doi.org/10.2298/CSIS181001010C Outlier Detection in Graphs: A Study on the Impact of Multiple Graph Models Guilherme Oliveira Campos1;2, Edre´ Moreira1, Wagner Meira Jr.1, and Arthur Zimek2 1 Federal University of Minas Gerais Belo Horizonte, Minas Gerais, Brazil fgocampos,edre,[email protected] 2 University of Southern Denmark Odense, Denmark [email protected] Abstract. Several previous works proposed techniques to detect outliers in graph data. Usually, some complex dataset is modeled as a graph and a technique for de- tecting outliers in graphs is applied. The impact of the graph model on the outlier detection capabilities of any method has been ignored. Here we assess the impact of the graph model on the outlier detection performance and the gains that may be achieved by using multiple graph models and combining the results obtained by these models. We show that assessing the similarity between graphs may be a guid- ance to determine effective combinations, as less similar graphs are complementary with respect to outlier information they provide and lead to better outlier detection. Keywords: outlier detection, multiple graph models, ensemble. 1. Introduction Outlier detection is a challenging problem, since the concept of outlier is problem-de- pendent and it is hard to capture the relevant dimensions in a single metric. The inherent subjectivity related to this task just intensifies its degree of difficulty. The increasing com- plexity of the datasets as well as the fact that we are deriving new datasets through the integration of existing ones is creating even more complex datasets.
    [Show full text]
  • Comparison of Data Mining Methods on Different Applications: Clustering and Classification Methods
    Inf. Sci. Lett. 4, No. 2, 61-66 (2015) 61 Information Sciences Letters An International Journal http://dx.doi.org/10.12785/isl/040202 Comparison of Data Mining Methods on Different Applications: Clustering and Classification Methods Richard Merrell∗ and David Diaz Department of Computer Engineering, Yerevan University, Yerevan, Armenia. Received: 12 Jan. 2015, Revised: 21 Apr. 2015, Accepted: 24 Apr. 2015 Published online: 1 May 2015 Abstract: Cluster analysis or clustering is the task of grouping a set of objects in such a way that objects in the same group (called a cluster) are more similar (in some sense or another) to each other than to those in other groups (clusters). It is a main task of exploratory data mining, and a common technique for statistical data analysis, used in many fields, including machine learning, pattern recognition, image analysis, information retrieval, and bioinformatics. In this review we study different type if clustering methods. Keywords: Clustering, Data Mining, Ensemble, Big data. 1 Introduction connected by an edge can be considered as a prototypical form of cluster. Relaxations of the complete connectivity According to Vladimir Estivill-Castro, the notion of a requirement (a fraction of the edges can be missing) are ”cluster” cannot be precisely defined, which is one of the known as quasi-cliques. A ”clustering” is essentially a set reasons why there are so many clustering algorithms [1,2, of such clusters, usually containing all objects in the data 3,4]. There is a common denominator: a group of data set. Additionally, it may specify the relationship of the objects.
    [Show full text]
  • A Study on the Impact of Multiple Graph Models Campos, Guilherme Oliveira; Moreira, Edré; Meira, Wagner; Zimek, Arthur
    University of Southern Denmark Outlier detection in graphs A study on the impact of multiple graph models Campos, Guilherme Oliveira; Moreira, Edré; Meira, Wagner; Zimek, Arthur Published in: Computer Science and Information Systems DOI: 10.2298/CSIS181001010C Publication date: 2019 Document version: Final published version Citation for pulished version (APA): Campos, G. O., Moreira, E., Meira, W., & Zimek, A. (2019). Outlier detection in graphs: A study on the impact of multiple graph models. Computer Science and Information Systems, 16(2), 565-595. https://doi.org/10.2298/CSIS181001010C Go to publication entry in University of Southern Denmark's Research Portal Terms of use This work is brought to you by the University of Southern Denmark. Unless otherwise specified it has been shared according to the terms for self-archiving. If no other license is stated, these terms apply: • You may download this work for personal use only. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying this open access version If you believe that this document breaches copyright please contact us providing details and we will investigate your claim. Please direct all enquiries to [email protected] Download date: 08. Oct. 2021 Computer Science and Information Systems 16(2):565–595 https://doi.org/10.2298/CSIS181001010C Outlier Detection in Graphs: A Study on the Impact of Multiple Graph Models Guilherme Oliveira Campos1;2, Edre´ Moreira1, Wagner Meira Jr.1, and Arthur Zimek2 1 Federal University of Minas Gerais Belo Horizonte, Minas Gerais, Brazil fgocampos,edre,[email protected] 2 University of Southern Denmark Odense, Denmark [email protected] Abstract.
    [Show full text]
  • Automated Exploration for Interactive Outlier Detection
    KDD 2017 Research Paper KDD’17, August 13–17, 2017, Halifax, NS, Canada REMIX: Automated Exploration for Interactive Outlier Detection Yanjie Fu Charu Aggarwal Srinivasan Parthasarathy Missouri U. of Science & Technology IBM T. J. Watson Research Center IBM T. J. Watson Research Center Missouri, USA NY, USA NY, USA [email protected] [email protected] [email protected] Deepak S. Turaga Hui Xiong IBM T. J. Watson Research Center Rutgers University NY, USA NJ, USA [email protected] [email protected] ABSTRACT is widely used in many applications such as nancial fraud detec- Outlier detection is the identication of points in a dataset that tion, Internet trac monitoring, and cyber security [4]. Outlier do not conform to the norm. Outlier detection is highly sensitive detection is highly sensitive to the choice of the detection algorithm to the choice of the detection algorithm and the feature subspace and the feature subspace used by the algorithm [4, 5, 35]. Further, used by the algorithm. Extracting domain-relevant insights from outlier detection is oen performed on high dimensional data in outliers needs systematic exploration of these choices since diverse an unsupervised manner without data labels; distinct sets of out- outlier sets could lead to complementary insights. is challenge is liers discovered through dierent algorithmic choices could reveal especially acute in an interactive seing, where the choices must be complementary insights about the application domain. us, unsu- explored in a time-constrained manner. pervised outlier detection is a data analysis task which inherently In this work, we present REMIX, the rst system to address the requires a principled exploration of the diverse algorithmic choices problem of outlier detection in an interactive seing.
    [Show full text]
  • My Journey to Data Mining
    Ludwig-Maximilians-Universität München Institut für Informatik DATABASE Lehr- und Forschungseinheit für Datenbanksysteme SYSTEMS GROUP My Journey to Data Mining Hans-Peter Kriegel Ludwig-Maximilians-Universität München München, Germany 1 DATABASE In the beginning… SYSTEMS GROUP • spatial databases – spatial data mining height profile: Maunga Whau Volcano (Mt. Eden), Auckland, New Zealand 2 DATABASE Density-based Clustering: Intuition SYSTEMS GROUP • probability density function of the data • threshold at high probability density level • cluster of low probability density disappears to noise probability density function 3 DATABASE Density-based Clustering: Intuition SYSTEMS GROUP • low probability density level • 2 clusters are merged to 1 probability density function 4 DATABASE Density-based Clustering: Intuition SYSTEMS GROUP • medium (good) probability density level • 3 clusters are well separated probability density function 5 DATABASE DBSCAN SYSTEMS GROUP DBSCAN: Density-Based Spatial Clustering of Applications with Noise [Ester, Kriegel, Sander, Xu KDD 1996] minPts = 5 • Core points have at least minPts points in their -neighborhood • Density connectivity is defined based on core points • Clusters are transitive hulls of density-connected points 6 DATABASE DBSCAN SYSTEMS GROUP • DBSCAN received the 2014 SIGKDD Test of Time Award • DBSCAN Revisited: Mis-claim, Un-Fixability, and Approximation [Gan & Tao SIGMOD 2015] – Mis-claim according to Gan & Tao: DBSCAN terminates in O(n log n) time. DBSCAN actually runs in O(n²) worst-case time. – Our KDD 1996 paper claims: DBSCAN has an “average“ run time complexity of O(n log n) for range queries with a “small“ radius (compared to the data space size) when using an appropriate index structure (e.g. R*-tree) – The criticism should have been directed at the “average“ performance of spatial index structures such as R*-trees and not at an algorithm that uses such index structures 7 DATABASE DBSCAN SYSTEMS GROUP • Contributions of the SIGMOD 2015 paper (apply only to Euclidean distance) 1.
    [Show full text]
  • Outlier Detection with Explanations on Music Streaming Data: a Case Study with Danmark Music Group Ltd
    applied sciences Article Outlier Detection with Explanations on Music Streaming Data: A Case Study with Danmark Music Group Ltd. Jonas Herskind Sejr 1,* , Thorbjørn Christiansen 2, Nicolai Dvinge 2, Dan Hougesen 2 and Peter Schneider-Kamp 1 and Arthur Zimek 1 1 Department of Mathematics & Computer Science, University of Southern Denmark, 5230 Odense, Denmark; [email protected] (P.S.-K.); [email protected] (A.Z.) 2 Danmark Music Group Ltd., Dartmouth TQ6 9BE, UK; [email protected] (T.C.); [email protected] (N.D.); [email protected] (D.H.) * Correspondence: [email protected]; Tel.: +45-52-34-2918 Abstract: In the digital marketplaces, businesses can micro-monitor sales worldwide and in real-time. Due to the vast amounts of data, there is a pressing need for tools that automatically highlight chang- ing trends and anomalous (outlier) behavior that is potentially interesting to users. In collaboration with Danmark Music Group Ltd. we developed an unsupervised system for this problem based on a predictive neural network. To make the method transparent to developers and users (musicians, music managers, etc.), the system delivers two levels of outlier explanations: the deviation from the model prediction, and the explanation of the model prediction. We demonstrate both types of outlier explanations to provide value to data scientists and developers during development, tuning, and evaluation. The quantitative and qualitative evaluation shows that the users find the identified Citation: Herskind Sejr, J.; trends and anomalies interesting and worth further investigation. Consequently, the system was inte- Christiansen, T.; Dvinge, N.; grated into the production system. We discuss the challenges in unsupervised parameter tuning and Hougesen, D.; Schneider-Kamp, P.; show that the system could be further improved with personalization and integration of additional Zimek, A.
    [Show full text]
  • Angle-Based Outlier Detectin in High-Dimensional Data
    in Proc. of the 14th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD'08), Las Vegas, NV, 2008, pp. 444-452. Angle-Based Outlier Detection in High-dimensional Data Hans-Peter Kriegel Matthias Schubert Arthur Zimek Ludwig-Maximilians-Universität München Oettingenstr. 67, 80538 München, Germany http://www.dbs.ifi.lmu.de {kriegel,schubert,zimek}@dbs.ifi.lmu.de ABSTRACT mechanisms or statistical processes. Distinct deviations from the Detecting outliers in a large set of data objects is a major data main distributions then are supposed to originate from a different mining task aiming at finding different mechanisms responsible for mechanism. Such a different mechanism may be a fraud, a dis- different groups of objects in a data set. All existing approaches, turbance impairing the sensors, or simply incorrect reading of the however, are based on an assessment of distances (sometimes in- measurement equipment. But it could also be an unexpected and directly by assuming certain distributions) in the full-dimensional therefore interesting behavior requiring an adaptation of the the- Euclidean data space. In high-dimensional data, these approaches ory underlying to the experiment in question. This ambivalence are bound to deteriorate due to the notorious “curse of dimension- in the meaning of outliers is expressed in the frequently cited sen- ality”. In this paper, we propose a novel approach named ABOD tence “one person’s noise is another person’s signal”. Thus, a well (Angle-Based Outlier Detection) and some variants assessing the known characterization of an outlier is given by Hawkins as being variance in the angles between the difference vectors of a point to “an observation which deviates so much from other observations the other points.
    [Show full text]
  • Density-Based Clustering Validation
    to appear in: Proceedings of the 14th SIAM International Conference on Data Mining (SDM), Philadelphia, PA, 2014 Density-Based Clustering Validation Davoud Moulavi∗ Pablo A. Jaskowiak∗y Ricardo J. G. B. Campelloy Arthur Zimekz Jörg Sander∗ Abstract but also have to properly tune its parameters. Such One of the most challenging aspects of clustering is valida- choices are closely related to clustering validation, one of tion, which is the objective and quantitative assessment of the most challenging topics in the clustering literature. clustering results. A number of different relative validity As stated by Jain and Dubes [20], “without a strong criteria have been proposed for the validation of globular, effort in this direction, cluster analysis will remain a clusters. Not all data, however, are composed of globular black art accessible only to those true believers who have clusters. Density-based clustering algorithms seek partitions experience and great courage”. More striking than the with high density areas of points (clusters, not necessarily statement itself is the fact that it still holds true after globular) separated by low density areas, possibly contain- 25 years, despite all the progress that has been made. ing noise objects. In these cases relative validity indices pro- A common approach to evaluate the quality of clus- posed for globular cluster validation may fail. In this paper tering solutions involves the use of internal validity cri- we propose a relative validation index for density-based, ar- teria [20]. Many of such measures allow one to rank so- bitrarily shaped clusters. The index assesses clustering qual- lutions accordingly to their quality and are hence called ity based on the relative density connection between pairs of relative validity criteria.
    [Show full text]
  • Outlier Detection Techniques
    LUDWIG- MAXIMILIANS- DATABASE UNIVERSITÄT INSTITUTE FOR SYSTEMS MÜNCHEN INFORMATICS GROUP 16th ACM SIGKDD Conference on Knowledge Discovery and Data Mining Outlier Detection Techniques Hans-Peter Kriegel, Peer Kröger, Arthur Zimek Ludwig-Maximilians-Universität München Munich, Germany http://www.dbs.ifi.lmu.de {kriegel,kroegerp,zimek}@dbs.ifi.lmu.de Tutorial Notes: KDD 2010, Washington, D.C. DATABASE General Issues SYSTEMS GROUP 1. Please feel free to ask questions at any time during the presenttitation 2. Aim of the tutorial: get the big picture – NOT in terms of a long list of methods and algorithms – BUT in terms of the basic approaches to modeling outliers – Sample algorithms for these basic approaches will be sketched • The selection of the presented algorithms is somewhat arbitrary • Please don’ t mind if your favorite algorithm is missing • Anyway you should be able to classify any other algorithm not covered here by means of which of the basic approaches is implemented 3. The revised version of tutorial notes will soon be available on our websites Kriegel/Kröger/Zimek: Outlier Detection Techniques (KDD 2010) 2 DATABASE Introduction SYSTEMS GROUP What is an outlier? Definition of Hawkins [Hawkins 1980]: “An outlier is an observation which deviates so much from the other observations as to arouse suspicions that it was generated by a different mechanism” Statistics-based intuition – Norma l data objects fo llo w a “ gen er atin g m ech ani sm” , e. g. som e given statistical process – Abnormal objects deviate from this generating mechanism Kriegel/Kröger/Zimek: Outlier Detection Techniques (KDD 2010) 3 DATABASE Introduction SYSTEMS GROUP • Example: Hadlum vs.
    [Show full text]
  • 47 Internal Evaluation of Unsupervised Outlier Detection
    Internal Evaluation of Unsupervised Outlier Detection HENRIQUE O. MARQUES, University of São Paulo RICARDO J. G. B. CAMPELLO, University of Newcastle 47 JÖRG SANDER, University of Alberta ARTHUR ZIMEK, University of Southern Denmark Although there is a large and growing literature that tackles the unsupervised outlier detection problem, the unsupervised evaluation of outlier detection results is still virtually untouched in the literature. The so-called internal evaluation, based solely on the data and the assessed solutions themselves, is required if one wants to statistically validate (in absolute terms) or just compare (in relative terms) the solutions provided by different algorithms or by different parameterizations of a given algorithm in the absence of labeled data. However, in contrast to unsupervised cluster analysis, where indexes for internal evaluation and validation of clustering solutions have been conceived and shown to be very useful, in the outlier detection domain, this problem has been notably overlooked. Here we discuss this problem and provide a solution for the internal evaluation of outlier detection results. Specifically, we describe an index called Internal, Relative Evaluation of Outlier Solutions (IREOS) that can evaluate and compare different candidate outlier detection solutions. Initially, the index is designed to evaluate binary solutions only, referred to as top-n outlier detection results. We then extend IREOS to the general case of non-binary solutions, consisting of outlier detection scorings. We also statistically adjust IREOS for chance and extensively evaluate it in several experiments involving different collections of synthetic and real datasets. CCS Concepts: • Information systems → Data mining;•Computing methodologies → Anomaly de- tection; Additional Key Words and Phrases: Outlier detection, unsupervised evaluation, validation ACM Reference format: Henrique O.
    [Show full text]
  • Arxiv:1901.01588V2 [Cs.LG] 10 Jun 2019 a Means to Reliably Perform Pattern Recognition (Akoglu Et Al., 2012)
    Journal of Machine Learning Research 20 (2019) 1-7 Submitted 1/19; Revised 4/19; Published 5/19 PyOD: A Python Toolbox for Scalable Outlier Detection Yue Zhao [email protected] Carnegie Mellon University∗ Pittsburgh, PA 15213, USA Zain Nasrullah [email protected] University of Toronto Toronto, ON M5S 2E4, Canada Zheng Li jk [email protected] Northeastern University Toronto Toronto, ON M5X 1E2, Canada Editor: Alexandre Gramfort Abstract PyOD is an open-source Python toolbox for performing scalable outlier detection on multi- variate data. Uniquely, it provides access to a wide range of outlier detection algorithms, including established outlier ensembles and more recent neural network-based approaches, under a single, well-documented API designed for use by both practitioners and researchers. With robustness and scalability in mind, best practices such as unit testing, continuous in- tegration, code coverage, maintainability checks, interactive examples and parallelization are emphasized as core components in the toolbox's development. PyOD is compatible with both Python 2 and 3 and can be installed through Python Package Index (PyPI) or https://github.com/yzhao062/pyod. Keywords: anomaly detection, outlier detection, outlier ensembles, neural networks, machine learning, data mining, Python 1. Introduction Outlier detection, also known as anomaly detection, refers to the identification of rare items, events or observations which differ from the general distribution of a population. Since the ground truth is often absent in such tasks, dedicated outlier detection algorithms are extremely valuable in fields which process large amounts of unlabelled data and require arXiv:1901.01588v2 [cs.LG] 10 Jun 2019 a means to reliably perform pattern recognition (Akoglu et al., 2012).
    [Show full text]
  • Community Distribution Outlier Detection in Heterogeneous Information Networks
    Community Distribution Outlier Detection in Heterogeneous Information Networks Manish Gupta1, Jing Gao2, and Jiawei Han3 1 Microsoft, India ([email protected]) 2 SUNY, Buffalo, NY ([email protected]) 3 UIUC, IL ([email protected]) Abstract. Heterogeneous networks are ubiquitous. For example, bibliographic data, social data, medical records, movie data and many more can be modeled as heterogeneous networks. Rich information associated with multi-typed nodes in heterogeneous networks motivates us to propose a new definition of outliers, which is different from those defined for homogeneous networks. In this paper, we propose the novel concept of Community Distribution Outliers (CDOutliers) for heterogeneous information networks, which are defined as objects whose community distribution does not follow any of the popular community distri- bution patterns. We extract such outliers using a type-aware joint analysis of mul- tiple types of objects. Given community membership matrices for all types of objects, we follow an iterative two-stage approach which performs pattern dis- covery and outlier detection in a tightly integrated manner. We first propose a novel outlier-aware approach based on joint non-negative matrix factorization to discover popular community distribution patterns for all the object types in a holistic manner, and then detect outliers based on such patterns. Experimental results on both synthetic and real datasets show that the proposed approach is highly effective in discovering interesting community distribution outliers. 1 Introduction Heterogeneous information networks are omnipresent. In such networks, the nodes are of different types and relationships between nodes are encoded using multi-typed edges. For example, bibliographic networks consist of authors, conferences, papers and title keywords.
    [Show full text]